I built a bridge using snort inline that works fantastic. You would need something like that so you could get new patterns for new attacks. Adding snort to the system would dramatically increase the size of the install but it would be really cool. I would think about working on that but I haven’t wrapped my head completely around how zeroshell saves and uses its settings. Also you would need a developer to put snort inline onto the livecd. Snort inline runs in memory after loading its patters from text files and uses iptables to direct traffic into it so it seems to be something that would be at least feasible.